Todd Walton wrote: > Anybody know anything about two factor authentication? > > What if I gave a token to the neighbor kid and told him to take it to > my Aunt Millie across town. An hour later Aunt Millie calls me on our > ultra-secure encrypted point to point telephone line to say that she > has it. So I open my control panel and synchronize the server with > her token, and then set her a PIN. > > Was having the token out of my control for that hour a security consideration?
Depends. Let's assume that there was no *physical* attack on the fob. Instead, the kid merely wrote down all the numbers on the fob during that hour. It could be possible to reconstruct the state of the PRNG inside the fob. I don't think that it is very likely, so if you trust the courier to neither lose it nor break into it, you should be fine. I found this mailing list digest useful to understand how RSA SecurID works: http://www.mail-archive.com/[EMAIL PROTECTED]/msg03243.html http://tinyurl.com/yq2n6r -john -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
